Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Full release of actions/core 1.6.0 with oidc behavior #919

Merged
merged 55 commits into from Sep 28, 2021
Merged

Full release of actions/core 1.6.0 with oidc behavior #919

Show file tree
Hide file tree
Changes from 53 commits
Commits
Show all changes
55 commits
Select commit Hold shift + click to select a range
bdacfc4
Inital draft of OIDC Client
souravchanduka Jul 1, 2021
1322acb
Comments Resolved
souravchanduka Jul 12, 2021
f733089
oidc client changes
souravchanduka Jul 20, 2021
c45ad60
require added
souravchanduka Jul 20, 2021
53a7529
Resolved issues
souravchanduka Jul 20, 2021
4831d7a
removed unnecesary files
souravchanduka Jul 20, 2021
9df7428
package.json modified
souravchanduka Jul 20, 2021
8071504
added dist folder
souravchanduka Jul 26, 2021
962ff70
updated readme
souravchanduka Jul 26, 2021
885469e
updated version
souravchanduka Jul 26, 2021
a6114b6
version updated
souravchanduka Jul 26, 2021
f541fb1
version update
souravchanduka Jul 26, 2021
7965cc3
null ref fix
souravchanduka Jul 27, 2021
456cf5a
package.json updated
souravchanduka Jul 27, 2021
58dfa1c
readme modified
souravchanduka Jul 27, 2021
330dc0b
Updated Readme
souravchanduka Jul 28, 2021
662a937
Resolved comments
souravchanduka Jul 28, 2021
a2adaa8
Readme updated
souravchanduka Jul 28, 2021
ff90431
Update README.md
souravchanduka Jul 28, 2021
0c1cb72
Resolved Comments
souravchanduka Jul 29, 2021
5afccaa
removed whitespaces
souravchanduka Jul 29, 2021
9c6e7d8
Moved oidc functionality to actions/core
souravchanduka Aug 4, 2021
0a94a78
README.md updated
souravchanduka Aug 4, 2021
f559006
Resolved Comments
souravchanduka Aug 9, 2021
aa1968c
async call fix
souravchanduka Aug 10, 2021
5d9c674
comments resolved
souravchanduka Aug 10, 2021
cca2b18
Addressed Comments
souravchanduka Aug 10, 2021
33891d9
addressed comments
souravchanduka Aug 12, 2021
dac801e
error message updated
souravchanduka Aug 12, 2021
d0f4aae
Error Message updated
souravchanduka Aug 12, 2021
c7ec407
resolved comments
souravchanduka Aug 16, 2021
1c86c4c
payload updated
souravchanduka Aug 16, 2021
22e5d95
addressed comments
souravchanduka Aug 17, 2021
547e30c
addressed comments
souravchanduka Aug 18, 2021
619566e
Merge branch 'main' into main-oidc-client
souravchanduka Aug 18, 2021
3ceb264
readme updated
souravchanduka Aug 18, 2021
1162975
removed whitespaces
souravchanduka Aug 18, 2021
1c03cd3
audience can be undefined
souravchanduka Aug 18, 2021
1f8d7b5
default aud parameter
souravchanduka Aug 18, 2021
09e9478
comments resolved
souravchanduka Aug 19, 2021
4631854
version updated
souravchanduka Aug 19, 2021
2b58973
Merge branch 'main' into main-oidc-client
souravchanduka Aug 19, 2021
d9212ff
Addressed minor comments
souravchanduka Aug 23, 2021
af75719
Merge branch 'main-oidc-client' of https://github.com/souravchanduka/…
souravchanduka Aug 23, 2021
0bab362
eslint fix
souravchanduka Aug 23, 2021
3da67ac
Merge pull request #887 from souravchanduka/main-oidc-client
TingluoHuang Aug 25, 2021
d7dd89f
react to service changes.
TingluoHuang Aug 25, 2021
a7aa89a
lint
TingluoHuang Aug 25, 2021
eb88fce
lint
TingluoHuang Aug 25, 2021
b2c6bee
encoding.
TingluoHuang Aug 25, 2021
fe8d95a
lint
TingluoHuang Aug 26, 2021
5c3e1c2
Merge pull request #893 from actions/users/tihuang/oidcupdate
TingluoHuang Aug 26, 2021
8360bae
beta release of 1.6.0 for oidc preview (#894)
thboop Aug 26, 2021
0a588c3
update for merging into main
thboop Sep 28, 2021
4eaf5d5
fix release notes
thboop Sep 28, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
22,059 changes: 22,033 additions & 26 deletions package-lock.json
View file
Open in desktop

Large diffs are not rendered by default.

48 changes: 48 additions & 0 deletions packages/core/README.md
View file
Open in desktop
Expand Up @@ -257,3 +257,51 @@ var pid = core.getState("pidToKill");

process.kill(pid);
```

#### OIDC Token

You can use these methods to interact with the GitHub OIDC provider and get a JWT ID token which would help to get access token from third party cloud providers.

**Method Name**: getIDToken()

**Inputs**

audience : optional

**Outputs**

A [JWT](https://jwt.io/) ID Token

In action's `main.ts`:
```js
const core = require('@actions/core');
async function getIDTokenAction(): Promise<void> {

const audience = core.getInput('audience', {required: false})

const id_token1 = await core.getIDToken() // ID Token with default audience
const id_token2 = await core.getIDToken(audience) // ID token with custom audience

// this id_token can be used to get access token from third party cloud providers
}
getIDTokenAction()
```

In action's `actions.yml`:

```yaml
name: 'GetIDToken'
description: 'Get ID token from Github OIDC provider'
inputs:
audience:
description: 'Audience for which the ID token is intended for'
required: false
outputs:
id_token1:
description: 'ID token obtained from OIDC provider'
id_token2:
description: 'ID token obtained from OIDC provider'
runs:
using: 'node12'
main: 'dist/index.js'
```
3 changes: 3 additions & 0 deletions packages/core/RELEASES.md
View file
Open in desktop
@@ -1,5 +1,8 @@
# @actions/core Releases

### 1.6.0
- [Added OIDC Client function `getIDToken`](https://github.com/actions/toolkit/pull/887)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need to update the link


### 1.5.0
- [Added support for notice annotations and more annotation fields](https://github.com/actions/toolkit/pull/855)

Expand Down
18 changes: 18 additions & 0 deletions packages/core/__tests__/core.test.ts
View file
Open in desktop
Expand Up @@ -2,6 +2,7 @@ import * as fs from 'fs'
import * as os from 'os'
import * as path from 'path'
import * as core from '../src/core'
import {HttpClient} from '@actions/http-client'
import {toCommandProperties} from '../src/utils'

/* eslint-disable @typescript-eslint/unbound-method */
Expand Down Expand Up @@ -434,3 +435,20 @@ function verifyFileCommand(command: string, expectedContents: string): void {
fs.unlinkSync(filePath)
}
}

function getTokenEndPoint(): string {
return 'https://vstoken.actions.githubusercontent.com/.well-known/openid-configuration'
}

describe('oidc-client-tests', () => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hope we could have some real tests.

it('Get Http Client', async () => {
const http = new HttpClient('actions/oidc-client')
expect(http).toBeDefined()
})

it('HTTP get request to get token endpoint', async () => {
const http = new HttpClient('actions/oidc-client')
const res = await http.get(getTokenEndPoint())
expect(res.message.statusCode).toBe(200)
})
})
52 changes: 50 additions & 2 deletions packages/core/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 4 additions & 1 deletion packages/core/package.json
View file
Open in desktop
@@ -1,6 +1,6 @@
{
"name": "@actions/core",
"version": "1.5.0",
"version": "1.6.0-beta.0",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need to update the version.

"description": "Actions core lib",
"keywords": [
"github",
Expand Down Expand Up @@ -35,6 +35,9 @@
"bugs": {
"url": "https://github.com/actions/toolkit/issues"
},
"dependencies": {
"@actions/http-client": "^1.0.11"
},
"devDependencies": {
"@types/node": "^12.0.2"
}
Expand Down
6 changes: 6 additions & 0 deletions packages/core/src/core.ts
View file
Open in desktop
Expand Up @@ -5,6 +5,8 @@ import {toCommandProperties, toCommandValue} from './utils'
import * as os from 'os'
import * as path from 'path'

import {OidcClient} from './oidc-utils'

/**
* Interface for getInput options
*/
Expand Down Expand Up @@ -348,3 +350,7 @@ export function saveState(name: string, value: any): void {
export function getState(name: string): string {
return process.env[`STATE_${name}`] || ''
}

export async function getIDToken(aud?: string): Promise<string> {
return await OidcClient.getIDToken(aud)
}
84 changes: 84 additions & 0 deletions packages/core/src/oidc-utils.ts
View file
Open in desktop
@@ -0,0 +1,84 @@
/* eslint-disable @typescript-eslint/no-extraneous-class */
import * as actions_http_client from '@actions/http-client'
import {IRequestOptions} from '@actions/http-client/interfaces'
import {HttpClient} from '@actions/http-client'
import {BearerCredentialHandler} from '@actions/http-client/auth'
import {debug, setSecret} from './core'
interface TokenResponse {
value?: string
}

export class OidcClient {
private static createHttpClient(
allowRetry = true,
maxRetry = 10
): actions_http_client.HttpClient {
const requestOptions: IRequestOptions = {
allowRetries: allowRetry,
maxRetries: maxRetry
}

return new HttpClient(
'actions/oidc-client',
[new BearerCredentialHandler(OidcClient.getRequestToken())],
requestOptions
)
}

private static getRequestToken(): string {
const token = process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN']
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using ACTIONS_ID_TOKEN_REQUEST_TOKEN is inconsistent with the document where it suggests using ACTIONS_RUNTIME_TOKEN:

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#requesting-the-jwt-using-environment-variables

jobs:
  job:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/github-script@v6
      id: script
      timeout-minutes: 10
      with:
        debug: true
        script: |
          const token = process.env['ACTIONS_RUNTIME_TOKEN']
          const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL']
          core.setOutput('TOKEN', token.trim())
          core.setOutput('IDTOKENURL', runtimeUrl.trim())

Also see github/docs#32573

if (!token) {
throw new Error(
'Unable to get ACTIONS_ID_TOKEN_REQUEST_TOKEN env variable'
)
}
return token
}

private static getIDTokenUrl(): string {
const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL']
if (!runtimeUrl) {
throw new Error('Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable')
}
return runtimeUrl
}

private static async getCall(id_token_url: string): Promise<string> {
const httpclient = OidcClient.createHttpClient()

const res = await httpclient
.getJson<TokenResponse>(id_token_url)
.catch(error => {
throw new Error(
`Failed to get ID Token. \n
Error Code : ${error.statusCode}\n
Error Message: ${error.result.message}`
)
})

const id_token = res.result?.value
if (!id_token) {
throw new Error('Response json body do not have ID Token field')
}
return id_token
}

static async getIDToken(audience?: string): Promise<string> {
try {
// New ID Token is requested from action service
let id_token_url: string = OidcClient.getIDTokenUrl()
if (audience) {
const encodedAudience = encodeURIComponent(audience)
id_token_url = `${id_token_url}&audience=${encodedAudience}`
}

debug(`ID token url is ${id_token_url}`)

const id_token = await OidcClient.getCall(id_token_url)
setSecret(id_token)
return id_token
} catch (error) {
throw new Error(`Error message: ${error.message}`)
}
}
}